If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hello Guest,Our records indicate that you have never posted to our site before! Why not make your first post today by saying hello to our community in our Introductions forum.

Please review the forums rules, start with your first post today and become an active part of petri.co.il forums now!

Configuring Offline Root CA on Windows 2008 R2 server

Friend of mine said to me that Automatic publishing of CRLs (for exmple every 180 days) should be disabled (how to do that?).

He showed me a few Verisign certificates that do not have CDP defined.
I think that CRL from Offline Root CA SHOULD (MUST) be published to confirm validity of all certificates that were issued (signed) by Offline Root CA.

My Offline Root Ca is configured CRL publication interval of 180 days. Offline Root CA is not connected to the network and turned of all the time.

When I'm publishing CRL from Offline Root CA, I'm manually copying it to CDP, which is online location on network (IIS). In a event of revocation of some subordinate CAs, I would manually force publish of CRL.

Should I or should I not configure autopublish interval of CRL on Oflline Root CA? Is there a way to disable it?

The root CA is the most secure and protected CA in the chain. This is why it is highly recommended to be kept offline.
The root CA provides certificates to higher level CAs witch are usually on line.
Usually you revoke CA from your higher level CAs only when they are compromised. Hopefully this doesn't happening too frequently on your site.

So, from my point of view the 180day interval is OK. As far as I know, you can disable delta CRL publication interval but you can't do it for CRL.